Thursday, April 10, 2014

HTC Sense 6.0 Bluetooth security "issue" explained

Bluetooth is not a new technology and has long been associated with hands
free headsets but with newer devices over the last few years it has obviously evolved
into a technology that connects to printers, headphones, speakers,
cars and of course other phones.

It wasn't long ago that I still used a Microsoft Zune with my phone sitting
idle as I didn't trust the battery or it didn't have the capacity to store my
music library, it has only been due to looking into the issue I am going to
describe that I have begun to consider using a Bluetooth headset, reflecting on
the pain of trying to untangle my headphones as I make my daily commute into
the city.

But I digress, I made a discovery on the new HTC One M8 (originally noticed on the M7 port by rider5512) that when I shared
had a few other users concerned about using Bluetooth securely.

One of the advantages of being an early adopter and someone who has owned
the previous iteration of a flag ship model is that you quickly spot the
changes that have been made and one of them was a change in the Bluetooth setup
where the ability to set a visibility time out was no longer present and the
only options I could see for Bluetooth were on or off.

I checked some other devices, including the Sony Xperia Tablet Z (running
the latest nightly of Cyanogenmod 11), the HTC One M7 and the LG G2. I also saw,
via a quick Google search that this was standard for Apple devices.

Here you can see that same interface on the HTC One M7 (on Sense 5.5) with
visibility time-out options from Cyanogenmod 11 showing on the right:

Of all the other models I checked, only the HTC One M8 lacked this
visibility option.

So why might this be a concern?

If your device is visible it means that anyone with a Bluetooth
connection can see it, there have been pranks with the name Bluejacking
where you can be sent unsolicited text message and pictures which are mostly
harmless or as you imagine explicit but nothing more than nuisance, with no
data being stolen.

In more extreme cases there is something that is called Bluesnarfing (which
sounds ridiculous I know) where an attacker can change or copy information from
your phone such as your phone book, address book and calendar or even taking it
over completely. Obviously this situations are rare and extreme and as a smart
reader of this blog, you are likely avoiding it.

At the very least you will be exposing your Bluetooth address to others,
for the paranoid Bluetooth can also be used to track you. Certainly if
more people in Hollywood were able to disable Bluetooth visibility the cast of 'Person of Interest' would certainly have to do more work than forced pairing.

Having a visible device will also increase battery consumption!

I asked Jason Dunn, the current outgoing Senior Manager of the HTC community about this and
he quickly got a few details from me and escalated it as initially he thought
his was current practice as it didn't seem to be broken function on the M8 but
the lack of option altogether.

In less than a week (a credit again to Jason and HTC for working closely
with the community), Jason was able to give me a simple yet delightful answer.

In simplest terms, the device is only in discover mode, while you are
present in the Bluetooth settings screen.

Again, so simple but that has two strong reasons:

You won’t accidentally leave the device in a discoverable state.

For non-technical end-users it provides a simple yet effective way for
them to easily connect their device to other Bluetooth devices.

You can see a quick demonstration below, on the top my Xperia has been
unable to find my One M8, on the bottom (and you will have to take my word
for it) is in the Bluetooth settings screen and therefore visible.

Basically, HTC have done a great implementation for end users that does not
compromise security at all! Once paired the devices will continue to
function and connect as you would expect!

On a final note, it is very sad to see Jason moving on from his position at
HTC, but I continue to look forward to his thoughts on Twitter and I already
had the pleasure of meeting his replacement, Laura Kimball, at the HTC London
meet last month.

Great job HTC!

Have any questions or comments? Feel free to share! Also, if you like this article, please use media sharing buttons (Twitter, G+, Facebook) below this post!

For latest news follow Android RevolutionHD on popular social platforms: